Password Policy Enforcer

Password policy rules

PPE's password policy rules can enforce almost any password policy imaginable. Multiple policies can be created to implement fine-grained password policies for both domain and local user accounts on Windows 2012, 2008, 2003, 10, 8, 7, Vista, and XP.

The PPE Maximum and Minimum Age rules can only be enforced for domain accounts, but you can use the Windows versions of these rules with PPE's other rules for non-domain accounts.

Character

The Character rules reject passwords that contain, or do not contain certain characters. These rules check the whole password by default, but you can configure PPE to only check specific character positions (for example, from the second to fifth characters). There are seven Character rules, each with their own customizable character set:

  • Alpha Lower (a - z)
  • Alpha Upper (A - Z)
  • Alpha (a - z and A - Z)
  • Numeric (0 - 9)
  • Special (All characters not included above)
  • High (All characters above ANSI 126)
  • Custom (No default characters)

Character Pattern

The Character Pattern rule rejects passwords that contain character patterns such as "abcde" or "12345". You can choose whether it should detect alphabetic patterns, numeric patterns, or both. The tolerance is configurable, and there are options to detect character substitution (e.g. replacing S with $), and bi-directional analysis (detecting patterns in reverse).

Complexity

The Complexity rule rejects passwords that do not contain characters from a variety of character sets. The required number and selection of character sets are both configurable.

Dictionary

The Dictionary rule rejects passwords that are vulnerable to attack with a dictionary or hybrid cracking algorithm. PPE searches for weak passwords in a customizable dictionary file. The Dictionary rule can detect partial matches, character substitution, and character reversal. A second dictionary rule is also included for additional flexibility. You can use the second rule to relax dictionary requirements for long passwords and passphrases.

First Character

The First Character rule rejects passwords that do not begin with an appropriate character. Multiple character sets can be flagged as valid or invalid.

History

The History rule rejects passwords that are identical to a recently used password. PPE can enforce this rule for a number of password changes or a number of days.

Keyboard Pattern

The Keyboard Pattern rule rejects passwords that contain keyboard patterns such as "qwerty". Direction changes, repeated keys, and skipped keys can be detected if desired. You can also choose which keyboard layouts are searched for matching patterns.

Last Character

The Last Character rule rejects passwords that do not end with an appropriate character. Multiple character sets can be flagged as valid or invalid.

Length

The Length rule rejects passwords that contain too few or too many characters.

Maximum Age

The Maximum Age rule forces users to change their passwords regularly. Multiple expiry modes allow you to gradually introduce a new password policy with minimal impact on users and the help desk. You can also configure PPE to extend the maximum age of long passwords. This encourages users to choose longer passwords and passphrases which need to be changed less frequently than shorter passwords.

Minimum Age

The Minimum Age rule stops users from quickly cycling through a series of passwords to evade the History and Similarity rules.

Repeating Characters

The Repeating Characters rule rejects passwords that contain excessive character repetition.

Repeating Pattern

The Repeating Pattern rule rejects passwords such as "Passw0rdPassw0rd". Some users choose passwords like this to increase the length of a short password which would otherwise not comply with the password policy. The tolerance is configurable, so you can allow some repetition while rejecting more blatant examples. Character substitution detection and bi-directional analysis can also be enabled to increase the effectiveness of this rule.

Similarity

The Similarity rule rejects passwords that are similar to a user's current password. Unlike the History rule, PPE's Similarity rule can detect partial matches to deter users from serializing passwords (password1, password2, etc.) PPE does not store passwords or password hashes to enforce the Similarity rule. Character substitution detection and bi-directional analysis can be enabled to increase the effectiveness of this rule.

Unique Characters

The Unique Characters rule rejects passwords that do not contain a minimum number of unique characters.

User Display Name

The User Display Name rule rejects passwords that are similar to a user's display name. Configurable parameters include match tolerance, character substitution detection, and bi-directional analysis.

User Logon Name

The User Logon Name rule rejects passwords that are similar to a user's logon name. Configurable parameters include match tolerance, character substitution detection, and bi-directional analysis.